A Q&A about Security First's Umbrella App

Last fall, Security First released an interesting new app, Umbrella, that "provides all the advice needed to operate safely in a hostile environment." I've been looking forward to it's release, since hearing about it from their team at RightsCon last year in Manila. I had a bit of time to check the app out, and decided to send them a few questions to better understand their approach. I'll be providing my own review of Umbrella in another post, but you can see their responses to my questions below, posted in full. My questions are in bold.

Umbrella's technology tips seem to focus largely on non-mobile computers, such as desktops and laptops. Why did you focus so much on this type of computing?

Do you think a mobile app with tips focused primarily on desktop and laptop computers will be beneficial to most users?

·We really wanted Umbrella to be an easily-accessible, but comprehensive, source of security advice. That means providing advice on how to operate securely across all your devices, whether mobile or otherwise – someone who uses a secure messaging app on their phone, yet still uses an insecure platform on their desktop is not operating securely. Plus digital security is only one element of what Umbrella addresses – it also covers the physical and psycho-social elements of security.

·Moreover, we will actually be creating desktop interoperability for Umbrellain the coming year, so that users can also read the content and manage their checklists from their computer if they change between devices.

How did you decide what source materials to use?

·Umbrella’s content has been sourced from best practice security manuals and digital security guides. It’s content which we have worked with in our trainings for years. Everything from ODI’s Good Practice Review and the ECHO Security Guide for Humanitarian Organisations to EFF’s Surveillance Self-Defense and Tactical Tech’s Security in a Box. There are 8 or 9 main sources that we reference and link to in the app, but the true scope of sources is an awful lot broader. Writing the content was a (very!) long process of reading all the relevant material we could find and trying to distil the advice. (We found them by speaking to activists, journalists and humanitarian workers about what they currently refer to for digital and physical security and plain old research, which came to hundreds of documents and articles.) Where there were sources that already did that to some extent, and were a useful place to send users for further information, we’d reference them.

·There are also some lessons, such as Counter-Surveillance and Meetings, that we wrote from scratch, based on the qualifications of team members, as there was no appropriate existing content.

Security in a Box is, at this time, quite dated, why did you look there as a primary source, and why do you think it's advice remains relevant?

·I wouldn’t say that Security in a Box is Umbrella’s primary source. We do of course reference it a lot in the information and communications sections, because we wanted to direct users to where they could find more information wherever possible, and in many instances Security in a Box was one of the only available resources that thoroughly described a tool or problem.

·There are obviously parts of Security in a Box that refer to tools which are no longer widely used, and we don’t push users to those parts I don’t think, but there are also some lessons that absolutely remain relevant and useful.

At SWN we've found that training tools and lessons that are heavy on information transfer can be hard for users to retain. did you consider more interactive means for users to engage with the material and demonstrate their understanding? Why did you not include quizzes or other methods besides text and checklists for users to assess their understanding and preparedness?

·We couldn’t agree more! The checklists was our first attempt at making the content interactive/ adaptable and we can already see that they’re one of the most useful elements of the app. The only reason we haven’t included more yet comes down to time and resources. Our first grant was for building the primary content elements, but we’re now looking at how to better engage users by finding interactive ways to remind them of information, reinforce behaviour, and reward implementation. This will likely include elements such as adaptive quizzes, two or more player games for colleagues, testing, a ticket system for task completion, unlocking of levels, and instructive imagery and videos. We hope to work closely with SWN to utilise the knowledge and code you guys gained on StoryMaker!

How has adoption been so far?

·Umbrella has been out for a few months now and has almost 2000 installs and that number is growing and picking up pace. We’re seeing large organisations and donors pushing it out to their partners and grantees – and we were delighted to see that, on a number of occasions, activists told them they were already using it. Most satisfying though, is individuals without connection to traditional NGO digital/physical security structures and training who come across it and find it useful. Especially as with Umbrella and our other work – we aim to bridge a gap which we see between these various fields. For example, humanitarians tend to be stronger on physical security but bad on digital, whereas human rights folks tend to be the opposite.

Are you getting much feedback from users?

·The vast majority of Google Play reviews are 5 star, but obviously what we’re interested in is substantial feedback from people who we know are our target users, so that’s what we’ve been seeking out. It’s been really positive so far. We’ve been hearing that users are delighted to have all this information, on both digital and physical security, together in one easily-accessible place – many had previously been relying on huge, out-dated PDF manuals. People are really happy with usability and navigation, and also the interconnectedness of lessons and adaptability of checklists. We’ve had a lot of requests for translations (which we are working with OTF and the Localization Lab on), an iOS version and a desktop version. Some users are also looking for localised versions and the option of journo/activist/aid worker specific versions – so the ability to better tailor advice.

What can you say about who the users are, or can you tell me about a notable use case?

·Our users are activists, journalists and aid workers. Because we don’t collect identifiable data on our users for security reasons, we can’t give you much quantitative information about who they are and where they’re from. However we’ve heard from direct and in-direct feedback that its being used by people such as activists in Egypt, Israel and Zimbabwe, journalists in Iran and Mexico, and aid workers in Afghanistan.

·One of the most interesting uses we heard of recently was that of a Mexican journalist using Umbrella to prepare before heading out to a remote area in the mountains to cover the military operation searching for El Chapo Guzman – it was an interesting contrast with some more widely publicised security efforts!

What have you learned while creating Umbrella that you didn't expect?

·Trust your teams instincts and experience. Balancing design and security wishes of users with their actual practices is tricky. For example, when conceptualising design issues around content, users told us they wanted lots of content and information, yet the reality once they got it was different – they wanted the opposite. Ditto some security features, for example, many initially told us they wanted to be forced to have to input a longer password each time they opened the app – yet once they got to the user testing point, you find that they disliked this, and retention with strong password requirement was low, so we had to find other ways to protect user information.

What are your next steps for Umbrella?

·Right now we’ve just added support for Guardian Project Ripple. Their panic button sends a signal which closes Umbrella, logs the current user out and removes the app from recently used list.

·In the coming year Umbrella’s development will be focused on three main areas:

Increase Umbrella’s functionality: We want to add several functions toUmbrella: We want to help users streamline the process of preventative planning through sharable planning forms; We want toimprove users’ awareness of the specific risks they face by improving the dashboard functionality; We want to integrate existing tools where practical and safe to do so; and we want to allow for greater tailoring and customisation throughout the app.

Broaden Umbrella’s access: Clearly, at-risk human rights defenders reside in more than English-speaking countries – we want to broaden access to as many languages as possible. We have already had requests for translation into many languages, but for practicality’s sake, we will begin with Arabic and Spanish before considering other languages. We also want to make sure that those with using desktops can also useUmbrella. (We plan to create an iPhone version of the app onceUmbrella 2.0 is complete)

Improve content and usability of Umbrella: We want to ensure that each how-to guide is as clear, concise, intuitive and tailored to users in the field as possible. While the existing app is highly functional, we want to make sure it is a pleasure to use, so as to encourage retention. We want to better engage users by finding interactive ways to remind them of information, reinforce behaviour, and reward implementation. We obviously need to ensure that content remains up-to-date and relevant. We also want to improve the system for users contributing to and collaborating on content.

What else should I have asked you about that I didn't yet?

·I liked this question from Al Jazeera a while back…

·How will the app help an activist/journalist in case of an emergency situation such as arrest?

Umbrella can help users prevent as well as react to attacks. For instance, if an activist or journalist is going to partake in, or cover a protest, Umbrellatells you what precautions to take before you go, such as what tools you should download on your phone, what plans to make with colleagues, and how to evaluate the likely risks you’ll face. If something happens at the protest and the activist/journalist is arrested despite these precautions,Umbrella’s advice and the tools recommended will help them easily alert colleagues to their emergency and location, help them protect their work and contacts by encrypting their communications and devices (if safe and legal to do so), and help them understand how best to respond physically and mentally to arrest and questioning. It further helps users after such a situation occurs with practical advice on dealing with stress.